A study by the Online Trust Alliance (OTA) said that 100 percent of reported Internet of Things (IoT) vulnerabilities in connected home and wearables products do not have to happen. Specifically, OTA found had device manufacturers and developers implemented the security and privacy principles outlined in the OTA IoT Trust Framework, that susceptibilities in products developed after November 2015 would have never occurred.
“In this rush to bring connected devices to market, security and privacy is often being overlooked,” said Craig Spiezle, Executive Director and President of the Online Trust Alliance. “If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings.”
The OTA Trust IoT Framework is the first global, multi-stakeholder effort to address IoT risks comprehensively. It includes a baseline of 31 measurable principles which device manufacturers, developers and policy makers should follow to help maximize the security of and privacy of the devices and data collected for smart homes and wearable technologies. OTA began developing the framework in February 2015, and released it formally in March 2016. This release reflected feedback from nearly 100 organizations including ADT, American Greetings, Device Authority, Infoblox, Malwarebytes, Microsoft, the National Association of Realtors, Symantec, consumer and privacy advocates, international testing organizations, academic institutions, and U.S. governmental and law enforcement agencies.
To come up with its findings, OTA researchers analyzed publicly reported device vulnerabilities from November 2015 through July 2016 to determine if an OTA IoT Trust Framework principle could have averted them. OTA found the most glaring failures were attributed to:
• Insecure credential management including making administrative controls open and discoverable.
• Not adequately and accurately disclosing consumer data collection and sharing policies and practices.
• The omission or lack of rigorous security testing throughout the development process including but not limited to penetration testing and threat modeling.
• The lack of a discoverable process or capability to responsibly report observed vulnerabilities.
• Insecure or no network pairing control options (device to device or device to networks).
• Not testing for common code injection exploits.
• The lack of transport security and encrypted storage including unencrypted data transmission of personal and sensitive information including but not limited to user ID and passwords.
• Lacking a sustainable and supportable plan to address vulnerabilities through the product lifecycle including the lack of software/firmware update capabilities and/or insecure and untested security patches/updates.
“Security starts from product development through launch and beyond but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support. Devices with inadequate security patching systems further opens the door to threats impacting the safety of consumers and businesses alike,” said Spiezle.